[Standards] securing in-band registration
stpeter at jabber.org
Wed Jul 18 22:34:31 UTC 2007
Back in January Ian Paterson argued that we need to make in-band
registration more secure:
And I agree:
Ian recently brought up the issue again on the Council list:
So yes we need to better secure how we do in-band registration with
servers (I care less about registration with services like MUC rooms and
transports). Right now it is way too easy to create a botnet that
registers lots of new users at various open servers and then starts
spamming existing Jabber users.
Part of the solution is requiring x:data forms for registration. Yes, as
Matthias pointed out this will make life difficult for existing clients.
So we need to define a transition strategy. Clearly define how the
x:data-only registration works and set some goals for deprecating the
old way of doing things.
Part of the solution is also XEP-0158:
If we support media-in-forms (e.g. CAPTCHAs) we may have even stronger
weapons. See XEP-0221 for the media element definition (recently moved
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7354 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards